It was just over a year ago that Colonial Pipeline was brought down with a devastating ransomware attack. Within 24 hours of discovering the ransom note, CEO Joseph Blount made the decision to pay $4.4 million to the perpetrators. In an interview with the Wall Street Journal, Blount said that the although the decision was a difficult one, it was “the right thing to do for the country.”
The decision of whether to pay the ransom or not is one of the most stressful ordeals a company can make. There is a lot of pressure out there from governments, law enforcement and the cybersecurity community not to pay a ransom, and there are certainly some good reasons not to (See Part 2 for more on this.)
In fact, there are those who want to ban organizations from paying ransoms altogether. But in the immortal lyrics of Elvis Presley, “Before you abuse, criticize and accuse, just walk a mile in my shoes.” That's because every situation is different, and sometimes a company must do what’s best for the business and those that rely on its operations.
It's always best to have options, but sometimes you can find your back against the wall when you don’t have any. A working backup of your critical data and virtual server infrastructure is your get-out-of-jail card.
Sometimes however, victimized organizations find themselves without a card to play after a ransomware attack. If your organization lacks a proper backup strategy or if the attackers manage to take out your backups prior to the attack, there is no ace in the hole. Without a way to restore your data to a production state, the only alternative to paying the ransom might be to close the doors. Lincoln College in Illinois was recently forced into that tragic state of affairs.
As the manager of the largest pipeline system for refined oil products in the United States, one can argue that Colonial Pipeline had a ‘duty of care’ to the areas they serve. Certainly, a regional power company during times of extreme temperatures would be obligated to restore operations as quickly as possible, and similar obligations could be applied to health care or educational settings.
Then there is the issue of third-party data. Many ransomware gangs exfiltrate data before encrypting it. They then threaten to publish the data as a second form of extortion should the victim be able to restore their data from a backup. This creates a gray area, as paying the ransom would preserve the privacy of those whose data was compromised. Certainly, those individuals would encourage that the ransom be paid.
While it may be naïve, let’s assume that paying the ransom would guarantee your data back. Should you decide not to pay the ransom, you must factor in the opportunity cost that decision based on that assumption.
Restoring data from backups is time consuming. In addition to losing money during the prescribed down time, your business is incurring costs for mitigation, recovery, and possible fines for non-compliance.
You may also endure future litigation costs. In the end, the total cost of ransomware exceeds the ransom payment in most cases. The fact that the ransom is a cheaper alternative is not by accident—experienced ransomware organizations know what these costs are and price their ransom accordingly. Like it or not, paying the ransom can be a smart business decision.
In the end, the decision to pay isn’t as cut and dry as it seems, and the decision to do so is one that you won't be proud of. There are times in life however, when you are forced not to choose the best option, but the “least worst” option facing you.